Linux Generate Key For User

Posted on  by
  1. Generate Rsa Key Linux
  2. Linux Add User Set Password
  1. If the login is an non-interactive user utilized to perform utility tasks (e.g. Running running maine scripts on remote servers), then yes, you would probably generate the key for that user manually. Of course, that has its own security implications, but that's another story.
  2. How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell. Users must generate a public/private key pair when their site implements host-based authentication or user public-key authentication. For additional options, see the ssh-keygen(1) man page. Before You Begin.
  3. Creating an SSH Key Pair for User Authentication. The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys. Here's an example: klar (11:39) ssh-keygen Generating public/private rsa key pair.
  4. Use the ssh-keygen command to generate a public/private authentication key pair. Authentication keys allow a user to connect to a remote system without supplying a password. Keys must be generated for each user separately. If you generate key pairs as the root user, only the root can use the keys.

Generating Your SSH Public Key. In order to provide a public key, each user in your system must generate one if they don’t already have one. This process is similar across all operating systems. First, you should check to make sure you don’t already have a key. Which is provided with the SSH package on Linux/macOS systems and comes. I have Ubuntu Server 14.04 LTS. I have Public key authentication enabled by default. I used the following command to create new user: sudo useradd -m -c 'John T.' John -s /bin/bash The command. Dec 18, 2019  Using SSH keys is more secure and convenient than traditional password authentication. In this tutorial, we will walk through how to generate SSH keys on Ubuntu 18.04 machines. We will also show you how to set up an SSH key-based authentication and connect to your remote Linux servers without entering a password. Creating SSH keys on Ubuntu #.

I am a new Ubuntu 18.04 LTS user and I would like to setup ssh public key authentication. How do I set up ssh keys based authentication on Ubuntu Linux 18.04 LTS server? How do I set up SSH keys on an Ubuntu Linux 18.04 LTS server? In Ubuntu 18.04 LTS, how do I set up public key authentication?
Introduction: OpenSSH is a free and open source client/server technology for secure remote login. It is an implementation of the SSH protocol. OpenSSH divided into sshd (server) and various client tools such as sftp, scp, ssh and more. One can do remote login with OpenSSH either using password or combination of private and public keys named as public key based authentication. It is an alternative security method for user passwords. This method is recommended on a VPS, cloud, dedicated or even home-based server or laptop. This page shows how to set up SSH keys on Ubuntu 18.04 LTS server.
Advertisements

Ubuntu 18.04 Setup SSH Public Key Authentication

The procedure to set up secure ssh keys on Ubuntu 18.04:

  1. Create the key pair using ssh-keygen command.
  2. Copy and install the public key using ssh-copy-id command.
  3. Add yourself to sudo admin account on Ubuntu 18.04 server.
  4. Disable the password login for root account on Ubuntu 18.04.

Sample set up for SSH Keys on Ubuntu 18.04


Where,

  • 202.54.1.55 – You store your public key on the remote hosts and you have an accounts on this Ubuntu Linux 18.04 LTS server.
  • Linux/macbook laptop – Your private key stays on the desktop/laptop/computer (or local server) you use to connect to 202.54.1.55 server. Do not share or give your private file to anyone.

In public key based method you can log into remote hosts and server, and transfer files to them, without using your account passwords. Feel free to replace 202.54.1.55 and client names with your actual setup. Enough talk, let’s set up public key authentication on Ubuntu Linux 18.04 LTS.

How to create the RSA/ed25519 key pair on your local desktop/laptop

Open the Terminal and type following commands if .ssh directory does not exists:
$ mkdir -p $HOME/.ssh
$ chmod 0700 $HOME/.ssh

Next generate a key pair for the protocol, run:
$ ssh-keygen
OR
$ ssh-keygen -t rsa 4096 -C 'My key for Linode server'
These days ED25519 keys are favored over RSA keys when backward compatibility is not needed:
$ ssh-keygen -t ed25519 -C 'My key for Linux server # 42'

How to install the public key in Ubuntu 18.04 remote server

The syntax is as follows:
ssh-copy-id your-user-name@your-ubuntu-server-name
ssh-copy-id -i ~/.ssh/file.pub your-user-name@your-ubuntu-server-name

For example:
## for RSA KEY ##
ssh-copy-id -i $HOME/.ssh/id_rsa.pub user@202.54.1.55
## for ED25519 KEY ##
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub user@202.54.1.55
## install SSH KEY for root user ##
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub root@202.54.1.55

I am going to install ssh key for a user named vivek (type command on your laptop/desktop where you generated RSA/ed25519 keys):
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub vivek@202.54.1.55

Test it

Now try logging into the Ubuntu 18.04 LTS server, with ssh command from your client computer/laptop using ssh keys:
$ ssh your-user@your-server-name-here
$ ssh vivek@202.54.1.55

What are ssh-agent and ssh-add, and how do I use them on Ubuntu 18.04?

To get rid of a passphrase for the current session, add a passphrase to ssh-agent (see ssh-agent command for more info) and you will not be prompted for it when using ssh or scp/sftp/rsync to connect to hosts with your public key. The syntax is as follows:
$ eval $(ssh-agent)
Type the ssh-add command to prompt the user for a private key passphrase and adds it to the list maintained by ssh-agent command:
$ ssh-add
Enter your private key passphrase. Now try again to log into vivek@202.54.1.55 and you will NOT be prompted for a password:
$ ssh vivek@202.54.1.55

How to disable the password based login on a Ubuntu 18.04 server

Login to your server, type:
## client commands ##
$ eval $(ssh-agent)
$ ssh-add
$ ssh vivek@202.54.1.55

Now login as root user:
$ sudo -i
OR
$ su -i
Edit sshd_config file:
# vim /etc/ssh/sshd_config
OR
# nano /etc/ssh/sshd_config
Find PermitRootLogin and set it as follows:
PermitRootLogin no
Save and close the file. I am going to add a user named vivek to sudoers group on Ubuntu 18.04 server so that we can run sysadmin tasks:
# adduser vivek sudo
Restart/reload the sshd service:
# systemctl reload ssh
You can exit from all session and test it as follows:
$ ssh vivek@202.54.1.55
## become root on server for sysadmin task ##
$ sudo -i

How do I add or replace a passphrase for an existing private key?

To to change your SSH passphrase type the following command:
$ ssh-keygen -p

How do I backup my existing private/public SSH keys

Just copy files to your backup server or external USB pen/hard drive:

How do I protect my ssh keys?

  1. Always use a strong passphrase.
  2. Do not share your private keys anywhere online or store in insecure cloud storage or gitlab/github servers.
  3. Restrict privileges of the account.

Tip: Create and setup an OpenSSH config file to create shortcuts for servers

See how to create and use an OpenSSH ssh_config file for more info.

How do I secure my OpenSSH server?

See “OpenSSH Server Best Security Practices” for more info.

Generate Rsa Key Linux

Conclusion

You learned how to create and install ssh keys for SSH key-based authentication for Ubuntu Linux 18.04 LTS server. See OpenSSH server documents here and here for more info.

ADVERTISEMENTS

SSH is a cryptographic network protocol which is used to securely connect to a host over an unsecured connection. By default, any Linux operating system supports SSH; hence using a third party client is unnecessary like in the Windows platform. SSH protocol requires a server which accepts SSH connections, and a client which sends the requests to connect to the host. The typical usage of SSH protocol is remote login, remote commanding, and file transfer. Nowadays many Linux based servers make use of SSH protocol to tighten its security. A notable part of the SSH protocol is its authentication key pair which is used to identify and authorize users. So, this article demonstrates what are they, how to generate them, and how to utilize them to protect the server, and other relevant information.

How to Generate Keys and What Are They?

Generating SSH key pair consists of two basic phases. The first phase is generating the key pair on the local side, the second phase is copying it to the remote host, registering in the server and configuring the ssh daemon to make it useful. A key pair consists of two files, id_rsa and id_rsa.pub which are private and public keys respectively. The public key resides on the server side, whereas the private key is used when accessing it over SSH protocol.

In the following example ssh-keygen command is used to generate the key pair. When generating the key pair, the command prompt asks a name for a key, if it’s omitted the default name – id_rsa is used instead.

How to Use the Keys?

Once the key pair is generated on the local side through terminal window, the next step is to prepare them for employing for authentication purpose. The most convenient way to upload and register the public key in the server is using the ssh-copy-id command, what it does is copy the public key to the given user account located in the given host. As seen in the following example when the ssh-copy-id, username, the host name along with the password are all given the public key is copied and registered on the server side. If the username is root, the public key is uploaded to /root/.ssh/ on the server.

That being said, the server still isn’t protected with the SSH key pair as it’s not configured properly. Anyone can still access to the server if the password of the user account is known; hence the password has to be disabled while enabling the key pair verification. To disable the password authentication, edit /etc/ssh/sshd_config file where the settings for the SSH daemon are contained. In the file, the PasswordAuthentication has to be altered to NO, ChallengeResponseAuthentication should be altered to No as well. As the next step the sshd daemon has to be restarted for changes to take effect, which can be done with sudo systemctl reload sshd. Finally, the new key pair authentication method can be tested by giving ssh username@username in the terminal window.

Theory of The Keys and How They Work

The key pair is a part of the SSH standard which is used to connect to a remote host over an unsecured network. As stated earlier, the key pair consists of two keys – public and private keys which are uploaded to the server side and kept on the client side respectively. The public key is denoted by .pub extension, and the private key doesn’t have any extension.

When the user is accessing the server, the SSH daemon installed on the server side requests the user for the SSH private key, if it’s provided the private key is compared against the public key in the server. If the private key corresponds to the public key, authentication is successful, otherwise it rejects the login request. By default, the key pair uses RSA which is a cryptographic algorithm to generate the keys. But there are other popular algorithms as well, such as DSA and ECDSA.

ssh-keygen Command Line Options

ssh-keygen is used to generate keys and it provides a number of options to ease the key pair management, tighten the security and increase the flexibility. The following options are some of the prominent options which may come handy when managing a server.

Passphrase

The Passphrase option is used to provide a secondary protection when a key pair is used to authenticate the user. What it does is to secure the private key with a password and consequently the user is required to provide the passphrase when logging in to the remote host. It asks during the key pair creation.

Change the Bit Strength

Bit strength refers to the key pair’s key size which defines how strong the key pair is. Nowadays the standard size is 2048 bits, but it used to be 1024 bits and is no longer acceptable as it’s speculated that many powerful hardware are capable of cracking anything up to 1024 bits or even above given the right amount of time. Fortunately, ssh-keygen currently supports higher bit strength values such as 2048 and its next fashionable number 4096 which is recommended if it’s possible due to the large bit strength. The bit strength value can be adjusted with –b command, if it’s omitted the default value – 1024 or 2048 depending on the ssh-keygen is used.

Comment Public Key

Commenting is applicable to the public key, and is useful in organizing the keys if there are a large number of keys involved. The typical usage of commenting is when multiple admins use a server, but still want to distinguish one key from another. The following format is used to add a comment when generating a key pair.

Change Passphrase of a Private Key

Like adding a passphrase when generating a key pair, the existing passphrase can also be changed. Since the passphrase is applicable to the private key which resides on the client side, the command has to be executed on the client side along with the name of the private key. This option takes 3 parameters, old password, new password and the private key to apply the changes.

Change the Cryptographic Algorithm

Microsoft word 2007 product key generator. The Algorithm defines how the information in the key pair is encrypted in order to verify each other when the connection is being established. Ssh-keygen supports several popular algorithm types which are RSA, ECDSA, DSA, ED25519 and RSA1. Nowadays the popular algorithm among many servers is RSA due to its wide spread usage and relatively good security, however it’s currently being upgraded to the newer version ECDSA which is much lighter, and has a low bit value with a high security compared to RSA. ED25519 is the newest version among these, and therefore not many clients support it, but still server side implementation is possible at the moment. DSA is the oldest version among all these algorithms, and is no longer employed in most of the hosts as it’s not secure anymore. According to OpenSSH 7 standard the support for DSA will no longer be given. The format to use the algorithm is as following.

Linux Add User Set Password

SSH Key Gen Video Demonstration